Fail to execute HI (2097153) -> HI Script exit abnormally, Exit Code: 3221225725
search cancel

Fail to execute HI (2097153) -> HI Script exit abnormally, Exit Code: 3221225725

book

Article ID: 440647

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Host integrity (HI) fails to run multiple endpoints with error "Fail to execute HI (2097153) -> HI Script exit abnormally, Exit Code: 3221225725".

WPP logs show the below entries:

[04/20/2026-11:41:08.132] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: HI verifying the HI Content before HI checking.
[04/20/2026-11:41:08.812] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: reset to history result in location Default
[04/20/2026-11:41:08.813] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: set HI result to HI_CHECK_FAIL.
[04/20/2026-11:41:08.823] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: HI checking is triggered.
[04/20/2026-11:41:09.018] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: Script Execution is started
[04/20/2026-11:41:09.021] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: The winsta\desktop is : Winsta0\Default
[04/20/2026-11:41:09.044] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: bFindWinlogon is 1
[04/20/2026-11:41:09.046] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: SetTokenInformation successfully
[04/20/2026-11:41:09.047] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: the using the first Vista/XP(FUS) method
[04/20/2026-11:41:09.296] SepManagementClient : 18ac : 1ffc : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :SMCGui - 19404: Create CCmcManagement
[04/20/2026-11:41:14.047] SepManagementClient : 18ac : 1ffc : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :SMCGui - 19404: Destroy CCmcManagement
[04/20/2026-11:41:14.288] SepManagementClient : 18ac : 1ffc : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :SMCGui - 19404: Create CCmcManagement
[04/20/2026-11:41:14.888] SepManagementClient : 18ac : 2a94 : TRACE_DEBUG : TRACE_LEVEL_INFORMATION : SEP::CWPPLog::TraceFunc : WPPLog_cpp50 :HI: Fail to execute HI (2097153) -> HI Script exit abnormally, Exit Code: 3221225725

Environment

Symantec Endpoint Protection (SEP) 14.4 and 14.3x

Cause

SEP HI calls cscript.exe to execute the HI script. During this process, cyvrtrap.dll (which belongs to the Cortex XDR Exploit Prevention Client) is injected into cscript.exe. It appears that cyvrtrap.dll has a bug that triggers an infinite loop, exhausting the stack space.
Consequently, cscript.exe terminated unexpectedly with the error STATUS_STACK_OVERFLOW (-1073741571), causing the SEP HI process to fail.

Resolution

The failure is due to a stack overflow within the Cortex XDR component. It is advised to contact the vendor (Palo Alto Networks) to resolve this issue.

Powered by Wolken Software